Skills

reviewing-dependency-changes

Installation
SKILL.md

Reviewing Dependency Changes

Manifest File Detection

Flag this skill when any of these files appear in the diff:

  • package.json, package-lock.json
  • *.csproj, Directory.Packages.props, packages.lock.json
  • Cargo.toml, Cargo.lock
  • go.mod, go.sum
  • requirements.txt, pyproject.toml, poetry.lock
  • Gemfile, Gemfile.lock

Area 1: New Dependencies

When a PR adds a dependency that was not previously in the codebase, Bitwarden's Dependency Review and Approval process requires AppSec review and approval before integration. This applies to all new dependencies — production, dev, and test.

The submitter must provide the package name/version, ecosystem, justification, scope, affected products, and what it replaces. A security engineer creates a VULN task in Jira and evaluates the dependency across security (known CVEs, exploitability), license compatibility (permissive licenses like MIT/Apache-2.0 are acceptable; copyleft licenses like GPL/AGPL are flagged), maintenance health (active maintainers, recent releases, security policy), supply chain risk (typosquatting, ownership changes, obfuscated install scripts), and transitive dependencies before rendering an approval decision.

Installs
32
Repository
bitwarden/ai-plugins
GitHub Stars
119
First Seen
Apr 10, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
reviewing-dependency-changes — bitwarden/ai-plugins